/etc/inc/ipsec.auth-user.php - Annotate - pfSense - pfSense bugtracker

| Branch: | Tag: | Revision:

root/etc/inc/ipsec.auth-user.php @ eb26d310

1	52c9f9fa	Ermal	#!/usr/local/bin/php -f
2			<?php
3			/*
4	6317d31d	Phil Davis	ipsec.auth-user.php
5	52c9f9fa	Ermal
6	6317d31d	Phil Davis	Copyright (C) 2008 Shrew Soft Inc
7			Copyright (C) 2010 Ermal Luçi
8			Copyright (C) 2013-2015 Electric Sheep Fencing, LP
9			All rights reserved.
10	52c9f9fa	Ermal
11	6317d31d	Phil Davis	Redistribution and use in source and binary forms, with or without
12			modification, are permitted provided that the following conditions are met:
13	52c9f9fa	Ermal
14	6317d31d	Phil Davis	1. Redistributions of source code must retain the above copyright notice,
15			this list of conditions and the following disclaimer.
16	52c9f9fa	Ermal
17	6317d31d	Phil Davis	2. Redistributions in binary form must reproduce the above copyright
18			notice, this list of conditions and the following disclaimer in the
19			documentation and/or other materials provided with the distribution.
20	52c9f9fa	Ermal
21	6317d31d	Phil Davis	THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
22			INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
23			AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
24			AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
25			OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
26			SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
27			INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
28			CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
29			ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
30			POSSIBILITY OF SUCH DAMAGE.
31	52c9f9fa	Ermal
32			*/
33			/*
34			pfSense_BUILDER_BINARIES:
35			pfSense_MODULE: openvpn
36			*/
37			/*
38	4881e5a9	Ermal	* ipsec calls this script to authenticate a user
39	52c9f9fa	Ermal	* based on a username and password. We lookup these
40			* in our config.xml file and check the credentials.
41			*/
42
43			require_once("globals.inc");
44			require_once("config.inc");
45			require_once("radius.inc");
46			require_once("auth.inc");
47			require_once("interfaces.inc");
48
49			/**
50			* Get the NAS-Identifier
51			*
52			* We will use our local hostname to make up the nas_id
53			*/
54			if (!function_exists("getNasID")) {
55			function getNasID()
56			{
57			global $g;
58
59	e6867c81	Renato Botelho	$nasId = gethostname();
60			if(empty($nasId))
61			$nasId = $g['product_name'];
62			return $nasId;
63	52c9f9fa	Ermal	}
64			}
65
66			/**
67			* Get the NAS-IP-Address based on the current wan address
68			*
69			* Use functions in interfaces.inc to find this out
70			*
71			*/
72			if (!function_exists("getNasIP")) {
73			function getNasIP()
74			{
75			$nasIp = get_interface_ip();
76			if(!$nasIp)
77			$nasIp = "0.0.0.0";
78			return $nasIp;
79			}
80			}
81			/* setup syslog logging */
82	9eb4257f	Ermal	openlog("charon", LOG_ODELAY, LOG_AUTH);
83	52c9f9fa	Ermal
84	9e74f980	Ermal	if (isset($_GET['username'])) {
85	85d0e959	Ermal	$authmodes = explode(",", $_GET['authcfg']);
86			$username = $_GET['username'];
87			$password = $_GET['password'];
88			$common_name = $_GET['cn'];
89			} else {
90			/* read data from environment */
91			$username = getenv("username");
92			$password = getenv("password");
93			$common_name = getenv("common_name");
94	2a3e3057	Ermal	$authmodes = explode(",", getenv("authcfg"));
95	85d0e959	Ermal	}
96	52c9f9fa	Ermal
97			if (!$username \|\| !$password) {
98			syslog(LOG_ERR, "invalid user authentication environment");
99	fe06990e	Ermal	if (isset($_GET['username'])) {
100	85d0e959	Ermal	echo "FAILED";
101			closelog();
102			return;
103			} else {
104			closelog();
105	e2a319f3	Renato Botelho	exit (-1);
106	85d0e959	Ermal	}
107	52c9f9fa	Ermal	}
108
109			$authenticated = false;
110
111			if (($strictusercn === true) && ($common_name != $username)) {
112			syslog(LOG_WARNING, "Username does not match certificate common name ({$username} != {$common_name}), access denied.\n");
113	eadda967	Ermal	if (isset($_GET['username'])) {
114	85d0e959	Ermal	echo "FAILED";
115			closelog();
116			return;
117			} else {
118			closelog();
119	e2a319f3	Renato Botelho	exit (1);
120	85d0e959	Ermal	}
121	52c9f9fa	Ermal	}
122
123			$attributes = array();
124			foreach ($authmodes as $authmode) {
125			$authcfg = auth_get_authserver($authmode);
126			if (!$authcfg && $authmode != "local")
127			continue;
128
129			$authenticated = authenticate_user($username, $password, $authcfg, $attributes);
130	936fc874	Ermal	if ($authenticated == true) {
131	a9157b6b	Ermal	if (stristr($authmode, "local")) {
132			$user = getUserEntry($username);
133			if (!is_array($user) \|\| !userHasPrivilege($user, "user-ipsec-xauth-dialin")) {
134			$authenticated = false;
135	3c4fc30b	Chris Buechler	syslog(LOG_WARNING, "user '{$username}' cannot authenticate through IPsec since the required privileges are missing.\n");
136	a9157b6b	Ermal	continue;
137			}
138	936fc874	Ermal	}
139	52c9f9fa	Ermal	break;
140	936fc874	Ermal	}
141	52c9f9fa	Ermal	}
142
143			if ($authenticated == false) {
144	3260b82f	Ermal	syslog(LOG_WARNING, "user '{$username}' could not authenticate.\n");
145	eadda967	Ermal	if (isset($_GET['username'])) {
146	85d0e959	Ermal	echo "FAILED";
147			closelog();
148			return;
149			} else {
150			closelog();
151	e2a319f3	Renato Botelho	exit (-1);
152	85d0e959	Ermal	}
153	52c9f9fa	Ermal	}
154
155			if (file_exists("/etc/inc/ipsec.attributes.php"))
156			include_once("/etc/inc/ipsec.attributes.php");
157
158	3260b82f	Ermal	syslog(LOG_NOTICE, "user '{$username}' authenticated\n");
159	85d0e959	Ermal	closelog();
160	52c9f9fa	Ermal
161	eadda967	Ermal	if (isset($_GET['username']))
162	85d0e959	Ermal	echo "OK";
163			else
164	e2a319f3	Renato Botelho	exit (0);
165	52c9f9fa	Ermal
166			?>

Project

General

Profile

pfSense